* [PATCH] [v3] qed: Fix a potential use-after-free in qed_cxt_tables_alloc
@ 2023-12-10 4:52 Dinghao Liu
2023-12-12 21:40 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Dinghao Liu @ 2023-12-10 4:52 UTC (permalink / raw)
To: dinghao.liu
Cc: Ariel Elior, Manish Chopra, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Yuval Mintz, netdev, linux-kernel
qed_ilt_shadow_alloc() will call qed_ilt_shadow_free() to
free p_hwfn->p_cxt_mngr->ilt_shadow on error. However,
qed_cxt_tables_alloc() accesses the freed pointer on failure
of qed_ilt_shadow_alloc() through calling qed_cxt_mngr_free(),
which may lead to use-after-free. Fix this issue by setting
p_mngr->ilt_shadow to NULL in qed_ilt_shadow_free().
Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
---
Changelog:
v2: -Change the bug type from double-free to use-after-free.
-Move the null check against p_mngr->ilt_shadow to the beginning
of the function qed_ilt_shadow_free().
-When kcalloc() fails in qed_ilt_shadow_alloc(), just return
because there is nothing to free.
v3: -Remove refactoring unrelated to bug fixing.
-Set p_mngr->ilt_shadow to null instead of
p_hwfn->p_cxt_mngr->ilt_shadow.
---
drivers/net/ethernet/qlogic/qed/qed_cxt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
index 65e20693c549..33f4f58ee51c 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
@@ -933,6 +933,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn)
p_dma->virt_addr = NULL;
}
kfree(p_mngr->ilt_shadow);
+ p_mngr->ilt_shadow = NULL;
}
static int qed_ilt_blk_alloc(struct qed_hwfn *p_hwfn,
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] [v3] qed: Fix a potential use-after-free in qed_cxt_tables_alloc
2023-12-10 4:52 [PATCH] [v3] qed: Fix a potential use-after-free in qed_cxt_tables_alloc Dinghao Liu
@ 2023-12-12 21:40 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-12-12 21:40 UTC (permalink / raw)
To: Dinghao Liu
Cc: aelior, manishc, davem, edumazet, kuba, pabeni, Yuval.Mintz,
netdev, linux-kernel
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Sun, 10 Dec 2023 12:52:55 +0800 you wrote:
> qed_ilt_shadow_alloc() will call qed_ilt_shadow_free() to
> free p_hwfn->p_cxt_mngr->ilt_shadow on error. However,
> qed_cxt_tables_alloc() accesses the freed pointer on failure
> of qed_ilt_shadow_alloc() through calling qed_cxt_mngr_free(),
> which may lead to use-after-free. Fix this issue by setting
> p_mngr->ilt_shadow to NULL in qed_ilt_shadow_free().
>
> [...]
Here is the summary with links:
- [v3] qed: Fix a potential use-after-free in qed_cxt_tables_alloc
https://git.kernel.org/netdev/net/c/b65d52ac9c08
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-12-12 21:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-12-10 4:52 [PATCH] [v3] qed: Fix a potential use-after-free in qed_cxt_tables_alloc Dinghao Liu
2023-12-12 21:40 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).